I work for a company we are on a domain.
At the minute we have 8 meeting rooms and in those meeting rooms there is 8 mini PCs.
At the moment the only people that are allowed to log on to this PC are admins because in AD under our accounts we have the option 'log on to' all computers
So everyone else in the company is set up under their account as LOGONTO and then the PC that they are at.
What I am looking for is to make everyone able to log on to the meeting room PC's without specifying the pc names.
I have an OU in AD with all the meeting rooms.
There are over 100 in the company.
I want everyone to be able to log on to their own computers PLUS the 8 computers in the meeting rooms.
I have been trying for hours, tried group policy and I think I did everything correct but I get the error message your account is not configured to use this computer please try another computer'
Mini PCs have windows 7, we are using windows server 2008 to manage
How do I go about doing this?
Best Answer
Instead of using the Log On To setting in your user's AD account settings, leverage the Allow log on locally group policy setting (found in Group Policy at
Computer/Policies/Security Settings/Local Polices
).The Allow log on locally setting specifies local users or groups on a workstation that have permission to log on to that machine. The groups (and one user) that are granted permission to log on locally by default are:
The AD security group
Domain Users
is automatically made a member of a workstation's localUsers
group when the machine is joined to the domain. This is how AD users get permission to log on to all domain computers. (Also, the domain groupDomain Administrators
is automatically made a member of the localAdministrators
group.)You can accomplish your objective by either:
Users
groupAllow log on locally
policy setting directlyEither of these approaches would necessitate abandoning use of the
Log On To
setting in your user's AD account settings in favor of controlling who can log on where based on their membership (or not) in a group that is either directly listed in the Allow log on locally GP setting, or is a member of a group listed in that same setting.